Jetbrains Security Bulletin Q4 2021 Key Information: 1. Products and Vulnerability Descriptions: - Datalore: Databases belonging to other users could be attached (DL-9779). - Hub: JetBrains Account integration exposed API keys with excessive permissions (HUB-10958), and a non-privileged user could perform a DoS attack (HUB-10976). - IntelliJ IDEA: Code could execute under user privileges (IDEA-243002, IDEA-277306, IDEA-282396, IDEA-275917). Potential LCE vulnerability via RLO characters (IDEA-284150). - Jetbrains Blog: Blind SQL injection (BLOG-45). - Kotlin: Inability to lock dependencies in Kotlin Multiplatform Gradle projects (KT-49449). - Kotlin Website: Clickjacking via kotlinlang.org (KTL-588). - Remote Development: Unexpected open ports on backend servers (GTW-894). - Space: Missing permission checks in HTTP API responses (SPACE-15991). - TeamCity: Possible redirection to external sites (TW-71113), logout failure deleting "remember me" cookie (TW-72969), GitLab authentication spoofing (TW-73375), proxy push feature allowing selection of any private key on the server (TW-73399), blind SSRF via XML-RPC calls (TW-73465), TOCTOU (time-of-check/time-of-use) vulnerability (TW-73468), unauthenticated attackers could cancel ongoing builds via XML-RPC requests (TW-73469), displaying health status of pull-requests to users without proper permissions (TW-73516), stored XSS (TW-73737), URL injection leading to CSRF (TW-73859), password change not terminating user editing sessions (TW-73888), XXE during configuration file parsing (TW-73932), reflected XSS (TW-74043), stored XSS in notification template page (JT-65752). - YouTrack: Setting custom flags using read-only permissions (JT-66214), stored XSS via project icons (JT-6716). 2. CVE Numbers: - Most issues have been assigned CVE numbers, such as CVE-2022-24327, CVE-2022-24328, CVE-2022-24345, etc. 3. Fixed Versions: - Most issues were resolved in specific versions, such as 2021.1.1390, 2021.2.4, 2021.3.1, etc. 4. Reporters and Issue Identifiers: - Vulnerabilities were discovered and reported by multiple researchers, including Yuri Sanin, Khan Janny, Carterjennigan, etc., with issue identifiers such as DL-9779, HUB-10958, TW-71113, etc. Summary: This bulletin provides a detailed overview of the various security issues resolved by JetBrains in Q4 2021, including their severity, fixed versions, and vulnerability reporters. This information helps users promptly update affected products to mitigate potential security risks.